OW2 users roles


Context

Most of the time, any third-party application (Atlassian, XWiki, etc) defines its own specific permissions and do not allow to retrieve user<>roles<>permissions association from an external endpoint: It can only see groups and users.
By saying we want a Roles layer to be part of our systems in relation with our apps, we mean to:
    - Provide a way to store the user/group<>roles<>permissions<>app mapping in the LDAP directory
    - Provide a way to push/sync those mapping to the app (maybe using app's API when possible)

So, maintaining a user/group<>roles<>permissions<>app mapping is a must.

Then, any OW2 own-written app or script have to implements the roles layer to be part of the "system".

Below is an initial list of identified OW2 roles and their possible permissions. Of course, in the final implementation it should be possible to alter permissions to role assignment, anytime.

Definitions

Management Office (MO)

"The Management Office is a small team of professionals appointed to run the day-to-day operations of the Consortium."
Also called MO, see Management_Office.

Entity

"An entity is something that exists in itself, actually or potentially, concretely or abstractly, physically or not." Source Wikipedia. In the scope of OW2, an entity can be an Organisation, Project, User, Member...

User

A user is a human whose life path crosses the one of the OW2 Consortium.

Account

An account is a digital object representing a user. An account has an e-mail address field. Two distinct accounts cannot share the same e-mail address. A user has at least one account except the anonymous user. A user can have several accounts.

Update following a discussion with Benoit: a user is meant to have only one account in the OW2 platform. In case he has several ones, they should be merged. However a user can can several roles.

Organization

An organization is an object entity representing:

  • the details of the organization
  • a set of accounts

Member

A member is either:

  • a user who has an account with which he has accepted (signed) the OW2 by-laws. (commonly called "Individual Member").
  • an organization whose legal representative has accepted the OW2 bylaws. (commonly called "Strategic Member" or "Corporate Member").

Project

A project is an object entity representing:

  • the details of the project
  • a set of accounts

Role

A role is a set of permissions to accomplish specific operations in regard to job functions. An account can have zero, one or many roles. An organization may also have roles. In that case, the accounts belonging to that organization inherit from all its roles.
Users and Groups can be assigned to a role, and the role is in turn associated with a set of permissions.

Individual roles

Anonymous

(=unregistered)

Permissions:

  • Browse data from all the public projects

Basic 

(inherits from Guest)

Permissions:

  • Open issues in a tracker
  • Update profile
  • Request membership
  • Request contribution in project (this implies a registration to the Consortium)

MH : User should be committed to a legal status before it could be assigned to the _Starter Member_ role and further

Starter Member

We need this role if we think "Individual Member", "Corporate Member" and "Strategic Member" roles should be managed separately (exclusive).

If not (inclusive), we can drop/merge it to "Individual Member" role and in such case this role will never be affected as a direct role to a contributor (as the role would always be indirectly inherited). The only direct member of "individual Member" role is someone who isn't contributor, yet.

(inherits Basic)

Permissions:

  • Submit a proposal

Individual Member

(inherits Starter Member)

Permissions:

  • Vote for a Individual Member Representative (check who can be a representative)

Project Contributor

(inherits from Starter Member)

Permissions:

  • Browse the project and contribute to it (VCS, wiki etc.)
  • Git : read write
  • Bamboo : read write

Project Manager 

inherits from Project Contributor

Permissions:

  • Administrate his project in all the forge tools (wiki, JIRA, SYMPA, …)
  • SYMPA: owner of his list, can request a new list
  • Administrate its dashboard page on the OW2 site
  • Create a topic in the Programming Contest list
  • Edit the TC space on the main site

Manager

inherits Starter Member

 MH: typically MO members: we could have a group MO assigned to this role

Permissions:

  • Dashboards administration
  • SYMPA create list, add / remove user to list
  • User Management : add, update, add to group, add roles, remove roles, …
  • XWiki : access to all wikis, create space, create page, delete page or space

Administrator

inherits from Manager

Permissions:

  • SYMPA admin / listmaster
  • User Management admin
  • XWiki farm admin : create wikis

ManagementOffice Member

inherits from Manager

Corporate Member Representative

inherits Starter Member (and imply Corporate Member role)

Permissions:

  • Vote for a representative corporate member

Strategic Member Representative

inherits Starter Member (and imply Strategic Member role)

Permissions:

  • Participates in the board

Individual Member Representative

inherits Starter Member (and imply Individual Member role)

Permissions:
(Check what can do the IM Representative)

OW2 Contact (CRM)

  • detailed info can be accessed only by MO

This document was drafted by MH and SL as a Google Doc and was migrated to this wiki in November 2015.

Organizational roles

A user who is a member of an organization inherits automatically the role(s) of the organization he's member of. A user account can be linked only with one organization at most. If a user actually belongs to several organizations, he needs to create several accounts. An organization has one representative member who has special roles.

Corporate Member

Permissions:

  • Vote for a corporate Member representative

Strategic Member

Permissions:

  • (do not vote)

Associate Member

Permissions:

  • (to be defined)